Plattform
adobe
Komponente
adobe-connect
Behoben in
12.10.1
CVE-2026-27245 describes a reflected Cross-Site Scripting (XSS) vulnerability present in Adobe Connect versions 2025.3 and earlier, including 12.10. Successful exploitation could allow an attacker to inject malicious scripts into a web page, potentially leading to account compromise or session hijacking. The vulnerability impacts users running affected versions of Adobe Connect, and a fix is available in version 2025.3.
This XSS vulnerability poses a significant risk to Adobe Connect users. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the URL, the injected script would execute in the user's browser within the context of the Adobe Connect application. This could allow the attacker to steal session cookies, hijack the user's account, or perform actions on their behalf. The scope of the vulnerability has been updated, indicating a potentially wider impact. The impact is amplified if the Adobe Connect instance is used for sensitive training or collaboration sessions, as attackers could potentially intercept and manipulate communications.
This vulnerability was publicly disclosed on 2026-04-14. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the CRITICAL CVSS score (9.3) suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (POC) code is likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Adobe Connect for webinars, training sessions, or online meetings are particularly at risk. Users with administrative privileges within Adobe Connect are at higher risk, as a successful XSS attack could grant an attacker full control over the system. Shared hosting environments where multiple Adobe Connect instances reside on the same server are also vulnerable, as a compromise of one instance could potentially lead to the compromise of others.
• generic web: Use curl to test potentially vulnerable endpoints with XSS payloads (e.g., <script>alert(1)</script>). Examine the response for signs of script execution.
curl 'https://adobeconnect.example.com/some/vulnerable/page?param=<script>alert(1)</script>' -s• generic web: Check access and error logs for suspicious requests containing XSS payloads or unusual characters. • adobe: Examine Adobe Connect's configuration files for any custom scripts or plugins that might be vulnerable to XSS. • adobe: Review Adobe Connect's audit logs for any unusual activity or unauthorized access attempts.
disclosure
Exploit-Status
EPSS
0.10% (29% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27245 is to upgrade Adobe Connect to version 2025.3 or later, which contains the fix. If immediate upgrading is not possible, consider implementing strict URL filtering at the web application firewall (WAF) level to block URLs containing suspicious JavaScript code. Review and sanitize all user inputs to prevent malicious code from being injected. Educate users about the risks of clicking on untrusted links and the importance of verifying the authenticity of websites before entering credentials. After upgrade, confirm by attempting to access a crafted XSS payload URL and verifying that it does not execute.
Aktualisieren Sie Adobe Connect auf Version 2025.3 oder höher, um die Cross-Site Scripting (XSS)-Schwachstelle zu beheben. Dieses Update behebt den Fehler bei der Validierung der Benutzereingabe und verhindert so die Einschränkung bösartiger Skripte. Weitere Details und Installationsanweisungen finden Sie auf der Adobe Security-Seite.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27245 is a critical Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 0.0.0–12.10, allowing attackers to inject malicious scripts.
If you are using Adobe Connect versions 2025.3 or earlier, including 12.10, you are potentially affected by this vulnerability.
Upgrade Adobe Connect to version 2025.3 or later to resolve this vulnerability. Consider WAF rules as an interim measure.
While no active exploitation campaigns have been publicly reported, the vulnerability's nature suggests that exploitation is likely.
Refer to the official Adobe Security Bulletin for CVE-2026-27245 on the Adobe Security Advisories website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.